Mac Malware Mining Monero

Last week, news spread of an Android botnet which was mining Monero. The news spread just as fast as the botnet itself, and is still appearing in my newsfeed daily. Surprisingly, another malware was found that was also being used to mine Monero, but this malware was found to be operating in Macs. That story, oddly enough, hasn’t found the legs in the media which the Android story has.

This Mac malware was discovered by Arnaud Abbati, a security researcher at SentinelOne. He named the malware OSX.CreativeUpdate, and it was unknowingly being distributed by popular Mac software site MacUpdate.com. Once installed, the malware would sit in the background and use the infected computers to mine the cryptocurrency.

The malware followed the typical strategy of hiding as legitimate apps. In fact, the MacUpdate site had been hacked and was pointing to download sites that were made to look like official sites. Hidden as copies of Firefox, OnyX, and Deeper applications, once chosen, users were sent to these false download sites. Users would find themselves downloading software from titaniumsoftware.org (the actual site is titanium-software.fr) and cdn-mozilla.net (real site is mozilla.net). Users would easily mistake these as the legitimate download locations, and that is precisely what happened.

Luckily the MacUpdate responded quickly, terminating the malicious links and informing customers of how to remove the malware and obtain the true versions of the software they purchased.

One might think that the quick discovery of fix by the distributing site may have lead to the story not receiving the media attention of the Android malware, but that would be ignoring one aspect of the malware. Namely, it’s still out there. And while we can be sure that this distribution pathway has been closed, we can also be sure that malicious actors don’t stop at their first closed door.